By Published on

Why are passkeys safer then passwords?

Passkeys are becoming a big reality by day, but are you sure you understand how they work?

If you understand how key-based ssh authentication works then you already are at home with the concept.

Simple version

A passkey is a secure, device‑based way to sign in using your fingerprint, face, or PIN instead of a password. Your device uses a hidden, autogenerated secret key to prove who you are.

Medium version

Instead of something you remember and type, passkey uses your device (your phone or computer) and your screen lock (fingerprint, face ID, or PIN) to sign in securely.

Your device (which stores a secret, private key unique to you) proves it’s really you without sending a password to the website, so there’s nothing for hackers to steal.

When you log in your device proves you’re you — without ever revealing the secret, that is, using your private key. Now, using the private key is the most sensitive action and depending on settings and/or context you may or you may not be prompted to authenticate. In case the authentication is needed the access to the private key is allowed by applying your existing authentication method (fingerprint, PIN, face ID).

If you switch devices, you’ll need to either sync your passkeys through your account or set them up again.

Full version (asymmetric encryption)

Key Creation

When you create a passkey (e.g., during account setup on a website):

  • Your device generates a key pair:
    • Private key: stays securely on your device.
    • Public key: sent to the website or service.

This is classic asymmetric encryption: the public key can verify your identity, but only the private key can prove it.

Where Are Keys Stored?

  • The private key is stored either in your device’s hardware (TPM chip, Yubikey, Secure Enclave) and made non-exportable or in software (iCloud Keychain by Apple, Google Password Manager, Microsoft account/Windows Hello sync, and third‑party managers like 1Password, Bitwarden, Dashlane) and be exportable.
  • The public key is stored by the website or service you’re logging into.

You never type or transmit your private key — your device uses it internally to sign a challenge during login meaning if you have the correct private key, you can access the service protected by the passkey.

What Happens If You Replace Your Device?

  • Passkeys are typically device-bound, stored in hardware and non-exportable, so if you lose or replace your device, you lose the private key.
  • However, modern ecosystems (Apple, Google, Microsoft) offer cloud sync of passkeys (not necessarily stored in hardware but always allowed to be synced). Then:
    • your passkeys are first encrypted (as a "sync" key) and synced across your devices,
    • you can log in from a new device as long as you’re signed into your account (e.g., iCloud, Google Account) because that way the private (sync) key can be delivered to that other device.

If you’re using non-synced passkeys (e.g., on a Linux device without cloud integration), you’ll need to re-register your passkey on the new device.

Note: the actual key creation and encryption mechanisms, esp. for sharing the keys between several devices of the same user, are much more complex. But it's enough to say that the sync keys are derived not only from the user's account password.

Key points to remember

Authentication, that is, confirming identity by signing a challenge with a private key is a server-side action (server has your public key).

Decryption is a client-side action only because the private key used for authentication never leaves your device (except for syncing with other devices).